Posted
by
kdawson
on Tuesday May 04, 2010 @01:59PM
from the keeping-it-real dept.

coondoggie sends in a Network World interview with HD Moore on the occasion of the commercial release of Metasploit by Rapid7, the company that bought it half a year ago. The pseudonomous author uses the occasion to explore the question of what happens to a vital open source project once it is sold commercially. "Metasploit might become one of the first examples of how a completely FOSS project grows up to be successful. It is the venture capital model without the startup money (though VCs are funding plenty of OS startups these days, too). Build it. They will come. Someone will buy it. And if you want them to stay, the FOSS project better remain as well supported as the eventual commercial version. This isn't the first open source project to have been bought by a big guy. And the jury is still out on on most of them. I could argue that Metasploit is a bit unique in that it didn't have a commercial arm when Rapid7 acquired it. That could not be said about SUSE or MySQL or even Gluecode (bought by IBM), etc."

The challenge for open source is that, while it's a fun hobby, how can we make it sustainable?"

sustainable is the key word for me here. If selling to a private corporation is the only sustainable way, that's too bad. That's why I like hybrid software licenses [fairsoftware.net] that combine open collaboration with some guarantee of revenue-sharing. Can we find a way to work together on a piece of code but still sell it for a reasonable price to end-users and sustain the developers? I sure hope so.

Because in the case of Metasploit, what do you think happens when all the developers now have a paying job? Even though the code is open, if it doesn't get maintained, it will die. So in practice, the project is basically at the mercy of the acquirer.

He appears to be associated with it, in some way or another (but maybe he is just a huge fan).

His whole analysis seems to ignore the part where some huge portion of open source software was released by a corporation (that payed an individual to do some work-for-hire, so the individual really doesn't have to worry if the work is sustainable or not, he is getting his right then).

Prior to the acquisition, all of the developers also had full-time paying jobs (with a couple exceptions for students). The difference is now we a half-dozen getting a salary to work on it full-time, in addition to the normal community contributions. Since all of the core code goes back to the BSD-licensed public source tree, the acquirer has a strong incentive to continue maintaining it in order to prevent a fork.

Recently I've come across this in the day job where we forked an opensource project in order to get it PA-DSS certified, which the original supporting organization had no will to do so. But the process required by PA-DSS makes a community driven development model almost impossible. There has to be proper testing procedures in place and documented and a chain of trust for security updates, etc.. That pretty much means that the project now has to be run by our internal development team and signed binaries

The challenge for open source is that, while it's a fun hobby, how can we make it sustainable?

That's pretty much what people said in the 80s, arguing that the GNU project maybe could build a text editor as hobbyists, but certainly couldn't build something like, say, a compiler. Then Linux was just a hobby project, fun, but surely nobody could use it for real work. Debian, a whole OS without any paid devs? Ridiculous! And yet despite being supposedly unsustainable, the flood of open source software doesn't seem to be showing any signs of stopping? Next you're going to tell me these hippie kids will write a free encyclopedia, too.

Sure, exploring ways of tying together funding and development is always interesting, but I don't think it's because of any crisis of sustainability...

"Debian, a whole OS without any paid devs?"1. Debian is not an OS. It is a distro.2. No Linux Distro I know of is free of code from paid devs! RedHat, IBM, Novell/SUSE, Intel, and many more pay people to develop code and then contribute that code to Linux. So any Distro that includes say.. The FOSS Intel video driver is using the code of paid devs.

Even RMS states the F in FOSS does not mean unpaid or free as in beer.

And I disagree about a crisis of sustainability. FOSS has not been wildly profitable as a wh

... And I disagree about a crisis of sustainability. FOSS has not been wildly profitable as a whole. It has not inspired a huge numbers of vibrant projects. For every FireFox there are tens of thousands of projects that never get past a page on source forge.Even some really good FOSS software just sort of lingers on the fringe. One great project IMHO is DeVeDe which is a super simple and easy to use DVD creation tool."I am not the dev but I use it"Without a clear source of revenue projects will fade.BTW the problem is getting worse for closed source software....

But, neither has closed source software been wildly profitable, as a whole.

over 90% of the wysiwig web page creator tools in the '90s didn't survive until 2000, and most of them never turned a profit, despite VC funding (or maybe because of VC funding), Dreamweaver, and Frontpage are the exceptions, and Frontpage was profitable because it was bought by microsoft.

What part of "BTW the problem is getting worse for closed source software...."did you not understand?There is a growing problem of profitability in the closed source segment as well.It is really sad because I feel over all it is causing a real decline in innovation everywhere in the PC space.Take OpenOffice for example. It's big "feature" is how close to Office it can get.Don't get me wrong because I feel that we need OpenOffice and it serves a vital function. "But Calc SUCKS! OpenOffice FIX CALC IT IS A S

Sure, there are plenty of stalled open-source projects, but there are a whole lot of wildly successful ones too. Besides Linux and gcc, web infrastructure is in large part open-source: Apache, nginx, Perl, Python, PHP, Ruby, MySQL, PostgreSQL combine for significant marketshare, and there's a lot of innovation in that area. In fact there's not much interesting happening on the web that isn't open-source: Microsoft and Adobe are pretty much the only two games in town on that front.

Fair point, but look at some of the contributors to Linux: IBM, SGI, Hewlett-Packard, Oracle. They contributed largely in the spirit of openly contributing (highly commendable) but they also contributed because they were going to get some sort of return on that investment, no matter how indirect or long-term it might be. This was certainly not the reason Linux became what it is, but to ignore the fact that they help sustain Linux would be plain folly. Indeed, there was quite a dramatic pick-up of interest a

You know, no one said open source was perfect. Even including the issues you mention every one of those open source projects offer products that are better than any closed source offerings. Not arguable better but for the most part excepted as better by everyone but a few zealots.

And Linux does run the world. The number of people who run critical systems on MS products is small and dwindling rapidly. Every heard of a router running Windows? As to commercial Unixes, They're hanging on only as long as there i

I'll wait until we're in the same galaxy, never mind on the same planet, before ripping this post to shreds. For now, I'll start with asking where this supposed rant is.

"GCC is =THE= benchmark to beat" is oh so very very condemning, I must say.

For BSD, "Very good development" and the developers are "magnificent". Hmmm. Yes, I could see how this could be taken as a put-down. What of, I'm not sure, as it clearly doesn't include the development or the developers, but probably something could be found.

Open Source is not the problem. Adversity to change (which is irrelevant) is not the problem. Marketing is not the problem. Attitudes like yours which create fictitious problems for the sole purpose of spewing at them - THAT is the problem. It is the ONLY problem. Everything else was fixed years ago.

Thanks for the laugh. I need one this morning. All that and your conclusion is that I'm the problem for...what was the reason again? Fictitious problems? Adversity to change and marketing are fictitious problems? Yeah, better wait till we're on the same planet at least.

Adversity to change is indeed a fictitious problem, as far as this is concerned. The difference between Unixes is so utterly insignificant that the IBCS module was capable of running Solaris, SunOS, Xenix and Wyse binaries as if native. It didn't have to re-implement stuff, as with Wine, it just had to do a few minor tweaks and things Just Worked. Thus, there IS NO CHANGE. You can't be adverse to something that doesn't bloody well exist.

Marketing is also irrelevant as Unix vendors all market about the same,

I've noticed that whenever I fry the crap out of delinquent thinkers on one thread, I get these sorts of even-more-mindless posts from ever-more delinquent thinkers. Dunno if it's a case of flushing the vermin out of the woodwork, or merely a case of me not being "one of you", that gets your snot-filled attitude going. But frankly it pisses me off.

Sounds like basically the name plus some core devs. It's BSD-licensed, so in theory they could've made their own proprietary version without even buying it, but in that case it might've been harder to get any attention or traction, and they might have had difficulty finding people familiar enough with the codebase and willing to write proprietary-licensed additions/extensions.

Yes you can. OSS code is owned by somebody. If it was not, how could the license requirements be enforced? You buy the code, you just realize that you can't stop anybody else in the world from using it -- that's the whole point. You do own it though.

Metasploit used to have nice GUI and web-based interfaces. Once it was purchased, they were immediately dropped.

Also, a project like Metasploit can't live without community contributions, and we have yet to see if these are sustained. When contributing to a noncommercial open source project, the feel is one of peers collaborating. When contributing to a commercial product, the feel is more like working without a paycheck...

Metasploit used to have nice GUI and web-based interfaces. Once it was purchased, they were immediately dropped.
Citation needed.
I can't download the latest release at work, but I downloaded one recently and it had the web interface.

HDM ended support for the GTK and web interfaces when he was purchased. Now, you need to purchase Metasploit Express ( http://www.metasploit.com/express/ [metasploit.com] ) to get a graphical interface for Metasploit.

Not quite - Prior to the 3.2 release, both the main developer for msfweb and the main developer for msfgui dropped out of the project (LMH and Fabrice); We fixed these interfaces up just enough to make them work for 3.2, but they have always been incredibly buggy and crash-prone. The msfweb interface needs an overhaul to be really usable (and we would love for someone in the community to take this on), however the msfgui interface will have to be rewritten from the ground up due to an insane number of crash bugs in the ruby-gnome2 codebase. As the project moved towards 1.9 compatibility, both msfweb and msfgui fell even further behind. We deprecated these interfaces in 3.3, which was immediately after the acquisition, but the acquisition had little to do with the decision to stop trying to maintain these. The main goal of msfweb and msfgui was to support an interactive console on the Windows platform; since we added RXVT/Cygwin to the 3.3.x packaging, it became possible to run msfconsole natively, removing the need to keep hacking msfweb/msfgui to work. The decision really came down to msfweb vs cygwin; with msfgui no longer an option due to the aforementioned crash bugs.

Long-term, we are trying to consolidate all of the interaction into a small number of tools; currently we have msfconsole, msfcli, msfweb, msfgui, msfrpc, and then msfencode+msfpayload. We would like to merge the cli functionality into the console (its buggy with certain module types at the moment), remove msfweb and msfgui until we find a new owner in the community, make msfrpc the standard way to programmatically interact with the framework, and combine msfpayload/msfencode into a single utility.

Well, apologies if I mistakenly attributed to the Rapid7 purchase what was actually a technical decision. From an outsider viewpoint, the project was acquired, then the GUI support was dropped, then a commercial GUI (Metasploit Express) was offered for purchase; so it certainly seemed like these things were related.

You deserve to make money from your great project--thanks for creating it. I do, of course, hope that the project isn't forced to compromise because of the new financial interests.

Thanks! We would be happy to continue development of msfweb/msfgui if we find someone in the community to take it on. Funny enough, many of the "hardcore" users (module developers) were happy about the decision to deprecate the web and gui interfaces, but they tend to be console-mode purists anyways:) Sorry for the AC comment earlier, took a bit to find my credentials for this account.

The challenge for open source is that, while it's a fun hobby, how can we make it sustainable?

There is tried and proven set of options: get a paying user to underwrite the work, get a paying user to buy customization services from individuals, form a company around it or form a non-profit which accepts tax deductible donations to fund development. There really isn't much of a difference here between this form of labor and all other forms of labor.

- Develop a software that can be used for the average need of the average user out there. (average relative to any particular field).
- Let people have it free
- Develop modules for niche needs for the software
- Sell modules
- Profit

logic is, not everyone will need every functionality. it will just bloat the software. so, something that will work and do the core tasks needed needs to be open source. and any added obscure or specific functionality has to come with modules. this way, users will be abl

Another interesting example of commercial success around a "pure" FOSS project is Drupal, originally developed about 10 years ago as the centerpiece of Dries Buytaert's Ph.D. research. About two years ago, Acquia was started to provide a supported distribution of Drupal with commercial support and now hosting for Drupal projects (drupalgardens). With so many themes and modules being developed for Drupal, many of which are free, we are now seeing new Drupal distros spring up, in much the same way that Linu

~~~Once upon a time, a long time ago, in the land known as FreakingFarkedUpLand...a tool company was formed. They made tools. They designed tools and sold tools. They never used tools all that much, a teeny bit..but they wanted to"make money", and they decided since the upcoming "modern civilization" that everyone was talking about was coming soon, that by selling tools to build civilization, they could all be rich. Well, they was just one guy to start with, but he had some "investors" who needed to get ric

I don't think you can get rich if your main product is the open source software. There are only a few exceptions where software is the real product, like Windows, PhotoShop, etc. This software is a niche product, very specialized. But most of the time software is just a by-product of your enterprise.

Apple, for example, don't sell MacOS so much as Macs. Apple is a hardware company, the MacOS system is just a by-product. If Apple would release MacOS as open source, they wouldn't lose much, because nobody ca